diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..9b28445ce0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: daily \ No newline at end of file diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 7dfcd15668..a40d4e4690 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -10,14 +10,17 @@ on: branches: - "**" +# Declare default permissions as read only. +permissions: read-all + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' @@ -28,7 +31,7 @@ jobs: curl -sSL https://secchannel.rsk.co/SUPPORT.asc | gpg2 --import - gpg2 --verify SHA256SUMS.asc && sha256sum --check SHA256SUMS.asc - - uses: actions/cache@v4 + - uses: actions/cache@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Cache Gradle Wrapper id: cache-gradle-wrapper with: @@ -46,7 +49,7 @@ jobs: ./gradlew --no-daemon --stacktrace build -x test - name: Archive build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: build-files path: | @@ -56,18 +59,18 @@ jobs: needs: unit-tests-java17 runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 with: fetch-depth: 0 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -76,21 +79,21 @@ jobs: fail-on-cache-miss: true - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build-files path: | rskj-core/build - name: Download test results - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: test-results path: | rskj-core/build/test-results/ - name: Download test reports - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: test-reports path: | @@ -153,17 +156,17 @@ jobs: options: --name bitcoind2 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4 with: node-version: '12.x' - name: Check Node.js version run: node --version - name: Checkout Mining Integration Tests Repository - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 with: repository: rsksmart/mining-integration-tests ref: ${{ secrets.MINING_INTEGRATION_TESTS_REF }} @@ -186,13 +189,13 @@ jobs: node --unhandled-rejections=strict generateBtcBlocks.js - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -201,7 +204,7 @@ jobs: fail-on-cache-miss: true - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 with: name: build-files path: | @@ -236,16 +239,16 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -258,14 +261,14 @@ jobs: ./gradlew --no-daemon --stacktrace test - name: Persist test results for sonar - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: test-results path: | rskj-core/build/test-results/ - name: Persist test reports for sonar - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 with: name: test-reports path: | @@ -275,16 +278,16 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '21' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | @@ -300,16 +303,16 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java & Gradle - uses: actions/setup-java@v4 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' cache: 'gradle' - - uses: actions/cache/restore@v4 + - uses: actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 #v4.1.1 name: Restore Gradle Wrapper with: path: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 637f0af13e..5fefc04bd2 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,13 +8,14 @@ on: schedule: - cron: "0 0 * * *" +# Declare default permissions as read only. +permissions: read-all + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: @@ -24,11 +25,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Setup Java JDK if: ${{ matrix.language == 'java' }} - uses: actions/setup-java@v3 + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 with: java-version: '17' distribution: 'temurin' @@ -38,15 +39,15 @@ jobs: run: ./configure.sh - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..e513e55f8e --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: 'Checkout Repository' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + fail-on-severity: high + comment-summary-in-pr: true \ No newline at end of file diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a05727d7ed..24642b3453 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,17 +7,20 @@ on: tags: - '*' +# Declare default permissions as read only. +permissions: read-all + jobs: docker: runs-on: ubuntu-20.04 steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Docker meta id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 with: images: rsksmart/rskj tags: | @@ -28,13 +31,13 @@ jobs: type=match,pattern=(\w+-\d+)\.\d+\.\d+.*,group=1 - name: DockerHub login - uses: docker/login-action@v2 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 #v6.9.0 with: context: . push: true diff --git a/.github/workflows/rit.yml b/.github/workflows/rit.yml index 487767549f..98e6c8dfb7 100644 --- a/.github/workflows/rit.yml +++ b/.github/workflows/rit.yml @@ -17,6 +17,9 @@ on: required: false default: 'master' +# Declare default permissions as read only. +permissions: read-all + jobs: rootstock-integration-tests: name: Rootstock Integration Tests @@ -24,7 +27,7 @@ jobs: timeout-minutes: 60 steps: - name: Checkout Repository # Step needed to access the PR description using github CLI - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 - name: Set Branch Variables id: set-branch-variables diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..d357502f8f --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + with: + sarif_file: results.sarif diff --git a/Dockerfile b/Dockerfile index 8d75e05395..729d3c76a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM eclipse-temurin:17-jdk AS build +FROM eclipse-temurin:17-jdk@sha256:08295ab0f5007a37cbcc6679a8447a7278d9403f9f82acd80ed08cd10921e026 AS build RUN apt-get update -y && \ apt-get install -y git curl gnupg @@ -19,8 +19,8 @@ RUN gpg --keyserver https://secchannel.rsk.co/SUPPORT.asc --recv-keys 1DC9157991 modifier=$(sed -n 's/^modifier=//p' "$file" | tr -d "\"'") && \ cp "rskj-core/build/libs/rskj-core-$version_number-$modifier-all.jar" rsk.jar -FROM eclipse-temurin:17-jre -LABEL org.opencontainers.image.authors="ops@iovlabs.org" +FROM eclipse-temurin:17-jre@sha256:f1515395c0695910a3ca665e973cc11013d1f50d265e61cb8c9156e999d914b4 +LABEL org.opencontainers.image.authors="ops@rootstocklabs.com"" RUN useradd -ms /sbin/nologin -d /var/lib/rsk rsk USER rsk diff --git a/README.md b/README.md index 9888c7efdd..a671b8378e 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![Rootstock Integration Tests](https://github.com/rsksmart/rskj/actions/workflows/rit.yml/badge.svg)](https://github.com/rsksmart/rskj/actions/workflows/rit.yml) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=rskj&metric=alert_status)](https://sonarcloud.io/dashboard?id=rskj) [![CodeQL](https://github.com/rsksmart/rskj/workflows/CodeQL/badge.svg)](https://github.com/rsksmart/rskj/actions?query=workflow%3ACodeQL) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/rskj/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/rskj) # About RskJ is a Java implementation of the Rootstock node. For more information about Rootstock, visit [rootstock.io](https://rootstock.io/). The [Rootstock white paper](https://rootstock.io/rsk-white-paper-updated.pdf) provides a complete conceptual overview of the platform.